Re: Audit Failures/READ_CONTROL SYNCHRONIZE
From: Binesh Bannerjee (binesh-dated-1017922749.387722@hex21.com)Date: 03/28/02
- Next message: Scorp: "Applying security templates in NT 4.0"
- Previous message: KlausF: "Re: Can't Log In! Please Help!"
- In reply to: Eric Fitzgerald [MSFT]: "Re: Audit Failures/READ_CONTROL SYNCHRONIZE"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: Binesh Bannerjee <binesh-dated-1017922749.387722@hex21.com> Date: 28 Mar 2002 12:20:20 GMT To: Binesh Bannerjee <binesh@hex21.com>, Eric Fitzgerald <ericf@online.microsoft.com>
Eric Fitzgerald [MSFT] <ericf@online.microsoft.com> wrote:
: The 560 object access event does not record what actions were performed on
: the file, it records what accesses were requested to the file. It does not
: mean that the program performed those operations on the file or even
: intended to do so.
: If you're using Windows 2000 then you're going to see a lot of yucky events
: like this. Access failures often occur normally, Explorer in particular
: often tries to open files with maximum privilege (which will often fail),
: and then use the failure as a UI cue- it will display the file differently.
: For instance, if you don't have Full Control on a file, Explorer will notice
: and disable parts of the security dialog. Unfortunately if you've enabled
: failure auditing then you will get an event.
: Lastly, "Read Control" and "Synchronize" are two of the standard rights-
: they are requested with almost every access. Read Control is the ability to
: read the security descriptor on the file. Synchronize is the ability to
: have the operating system notify the program of changes to the file.
: For Windows XP and Windows .NET Server we've added a new event, 567, which
: is logged when an operation is actually performed on a file. This will not
: be back-ported to Windows 2000.
Thanks, this was very helpful!
Is there a way to not log specific Event ID's? Then I just wouldn't log Event
ID 560, and I could simply open up the Security Log from time to time, and
as long as there are no lock symbols in the log, then I know everything
is OK... ? Or, am I trying to use auditing for something it was not intended?
The other thing I was hoping to find was rogue programs that seem to insist
on writing to c:\winnt... How would I go about making the C drive be fully
read only? (I've already created a D drive, changed the TEMP and TMP
environments to D:\TEMP and changed the print spool folder to
D:\printspool...
Anything else you might recommend?
Thanks,
Binesh Bannerjee
: --
: Eric Fitzgerald
: Program Manager, Windows Auditing and Intrusion Detection
: Microsoft Corporation
- Next message: Scorp: "Applying security templates in NT 4.0"
- Previous message: KlausF: "Re: Can't Log In! Please Help!"
- In reply to: Eric Fitzgerald [MSFT]: "Re: Audit Failures/READ_CONTROL SYNCHRONIZE"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
